> My question is: how easy is it for someone who can gain access to the users
> computer (either physically or through a trojan) to COPY a security
> certificate and install it on another browser? Does anyone know?
i don't believe there are any scriptkiddie type tools out there
to do it - but in theory you can get burned. your internet browser
has a form of protected storage to hold your client certificate. that
method of storage varies depending on type of browser, version of
browser, OS etc. netscape stores its client certificates in files like
secmod.db. IE/windows tends to use a certificate store based in the
registry.
java apps have their own certificate store.
if you using a smartcard to generate/store your client certificate then
you are a lot better off. on those devices, in general, your private key
remains and is never present on/within your computer.
if you are not using a smartcard, an attacker/trojan would try and get
a copy of your (potentially encrypted) certificate store by copying it off
to their machine. they would then use a keyboard sniffer to watch you
enter your password to that store. they could then utilize this info to
use your certificate.
if you are using a smartcard that keeps the private key onboard, things
get
tougher for the attacker. he can no longer gain access to your private key
without either hacking the interface/hardware of the smartcard itself, or
obtaining your physical smartcard.
regarding attacks that are only theoretical, i offer 2 grams to the first
person that contacts me with the name of the security related organization
that used the phrase "making the theoretical practical since 1992"
anyway, those are my personal thoughts on the matter for what they're
worth.
regards,
jay w.
[EMAIL PROTECTED]
---
You are currently subscribed to e-gold-list as: archive@jab.org
To unsubscribe send a blank email to [EMAIL PROTECTED]
